[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ArcotSign (was Re: Does security depend on hardware?)
In response to the interest indicated by the discussion on coderpunks/cipherpunks
mailing lists, we have put a technical note about the Arcot key container
("software smart card") on our site at:
http://www.arcot.com/camo2.html
We would appreciate your comments.
This note doesn't tell everything about our method--we *are* developing a
commercial product, after all--but we hope that it will suffice to show
knowledgeable readers our main ideas and convince them that a software key
container that provides protection similar to that of a smart card is in fact
possible.
I should remark that:
- Arcot key protection does not depend on making client-side
software complicated or on keeping the algorithms secret. It
depends on making it hard for an attacker to tell when he has
cracked it, by keeping information that the attacker might use
to identify the private key out of his reach (such as the
public key).
- Consequently, there are significant restrictions on the
situations in which Arcot key protection works. For example:
- It isn't useful for encryption.
- It isn't good for stranger-to-stranger authentication.
- It is good for authenticating yourself to your bank, an
online merchant with whom you have an account, or to your
employer.
- Like smartcards, it provides two-factor authentication--you
need to have the key container and know the password in order
to authenticate. Its key protection is slightly weaker because
it is easier to steal (just copy) a card without the theft being
noticed.
- Of course, the crypto has to be done in software. If your
application warrants that level of paranoia, then maybe you
really should be using hardware--but are you sure that your
smart card is really signing the document you think it
is? Most commercial applications don't warrant this level
of paranoia. And hardware costs money.
Regards,
Doug Hoover
begin: vcard
fn: Douglas Hoover
n: Hoover;Douglas
org: Arcot Systems
adr: 2197 Bayshore Rd;;;Palo Alto;CA;94303;US
email;internet: [email protected]
tel;work: 650 470-8203
tel;fax: 650 470-8208
x-mozilla-cpt: ;0
x-mozilla-html: TRUE
version: 2.1
end: vcard